Hello! Thanks for visiting! mirrorctl is still a young project, and the documentation is still a work-in-progress.
Latest version: v1.5.1

mirrorctl

mirrorctl is a mirror-syncing utility for Debian & Ubuntu software repositories.

If you’re looking for a reliable, secure, and easy-to-use utility for syncing external mirrors, consider mirrorctl.

mirrorctl - Sync Debian & Ubuntu repositories

Why use mirrorctl?

Atomic Updates

mirrorctl only updates the publicly-facing mirror once a successful mirror sync is complete. Users will never see a mirror with a ‘sync in progress’ message.

Configurable Snapshots

Create repository snapshots at will, giving you the ability to easily roll-back to a known-good mirror state or to facilitate reproducible builds. You can even stage snapshots for testing before promoting them to production.

Partial Repository Syncs

You can sync only the portions of a mirror that you want, limiting your sync based on architecture, component or suite. You can even filter repository downloads to exclude certain patterns or download only a prescribed number of package versions.

Predictable Storage Needs

mirrorctl provides a ‘–dry-run’ flag that shows you how much storage would be used by a repository sync without actually downloading the packages. This helps you to gauge storage needs before you sync your repositories.

Easy to Keep Clean

mirrorctl can optionally prune repository snapshots based on a set count of snapshots, or you can prune your repository based on a snapshot’s age. Either way, mirrorctl makes it easy to keep storage needs in check.

Security-related highlights

Checksum Validation

mirrorctl validates checksums before downloading packages, and only downloads packages when the checksums match. Checksum types md5, sha1, sha256 and sha512 are supported.

PGP Key Validation

By default, the application requires that you provide the upstream mirror’s public PGP key, ensuring the integrity of downloaded packages. (This feature can be disabled if needed during testing.)

TLS Validation

The application can validate upstream mirror TLS support, and allows you to configure minimum and maximum TLS versions. For advanced use cases, mirrorctl also supports custom certificate authorities, mutualTLS certificate/key combinations, specific cipher selections, and Server Name Identification (SNI) configurations.

No Need to Generate Keys

mirrorctl does not manipulate mirrors (for example, it doesn’t merge packages from one repository into another), so the PGP keys provided by the upstream repositories are the only keys that you need to work with.

Path and Symlink Protections

mirrorctl also blocks directory traversal attempts, restricts symlinks to approved directories, and validates all file paths. This prevents malicious repository metadata from accessing files outside of prescribed boundaries.

Signed Artifacts with SBOMs Included

Each release is signed by our repository’s cosign key, and includes a Software Bill of Materials, allowing you to easily validate the artifacts and their dependencies.